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Executive Summary 


Every day we read of another company being hacked. Attacks outpace defense, and one reason 
for this is the lack of an adequate cybersecurity workforce. The cybersecurity workforce shortfall 
remains a critical vulnerability for companies and nations. Conventional education and policies 
can't meet demand. New solutions are needed to build the cybersecurity workforce necessary in a 
networked world. 


The deficit of cybersecurity talent is a challenge for every industry sector. The lack of trained 
personnel exacerbates the already difficult task of managing cybersecurity risks. Our study 
quantifies the global cybersecurity workforce shortage and analyzes how companies and 
governments should approach cybersecurity workforce development to build a robust and 
sustainable pipeline of skills. 


The eight countries selected for this study—Australia, France, Germany, Israel, Japan, Mexico, the 
United Kingdom (UK), and the United States (US)—reflect a diversity of sizes, educational systems, 
income levels, and political structures. We looked at four dimensions of their cybersecurity 
workforce development efforts: total cybersecurity spending, education programs, employer 
dynamics, and public policies. Our findings are based on open-source data, targeted interviews 
with experts, and an eight-nation survey of information technology (IT) decision makers in both 
public and private sector organizations. 


Each country has unique factors that shape their cybersecurity posture. These can be leveraged 

to develop a stronger cybersecurity workforce. We outline potential improvements to training and 
education programs to build and sustain critical skills for cybersecurity professionals. Our survey of 
employer dynamics highlights the critical role that employers play in recruiting, retaining, and training 
their workforce. Looking to future developments in cybersecurity, we examine how technological 
improvements can reinforce cybersecurity skills. We conclude with recommendations on how to 
improve these four dimensions of the cybersecurity workforce to enhance global cybersecurity. 
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Key Findings 


Respondents in all countries surveyed said 
cybersecurity education was deficient. Eighty- 

two percent of respondents report a shortage of 
cybersecurity skills. More than three out of four (76%) 
respondents believe their government is not investing 
enough in cybersecurity talent. 


This shortage in cybersecurity skills does direct and 
measurable damage, according to 71% of respondents. 
One in three say a shortage of skills makes their 
organizations more desirable hacking targets. One in four 
say insufficient cybersecurity staff strength has damaged 
their organization's reputation and led directly to the loss 
of proprietary data through cyberattack. 


High-value skills are in critically short supply, the most 
scarce being intrusion detection, secure software 
development, and attack mitigation. These skills are in 
greater demand than soft skills in communication and 
collaboration. A majority of respondents (53%) said that 
the cybersecurity skills shortage is worse than talent 
deficits in other IT professions. 


About half the companies surveyed prefer a bachelor’s 
degree in a relevant technical subject as the minimum 
credential required for entry into the field. The utility 
of a degree, however, is more in its market signal 

than its effectiveness in honing cybersecurity skills. 
Respondents ranked hands-on experience and 
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professional certifications as better ways to acquire 
cybersecurity skills than a degree. Sixty-eight percent 
also said that hacking competitions (capture the flag 
exercises) play a role in developing critical cybersecurity 
skills within their organization. 


Almost nine out of 10 respondents said that 
cybersecurity technology could help compensate for 
skill shortages. More than half (55%) of respondents 
believe that, in five years, cybersecurity solutions will 
be able to meet the majority of their organization's 
needs. They also say they will respond to in-house 
talent shortages by expanding their outsourcing 

of cybersecurity. The solutions most likely to be 
outsourced are ones that lend themselves to 
automation and include threat detection (networking 
monitoring and access management). 


More than three out of four (76%) respondents said 
their government is not investing enough in building 
cybersecurity talent, and the same percentage said the 
laws and regulations for cybersecurity in their country 
are insufficient. There is a public demand for political 
leaders to improve cybersecurity legislation. 


Countries can change this shortfall in critical 
cybersecurity skills by increasing government 
expenditure on education, promoting gaming 
and technology exercises, and pushing for more 
cybersecurity programs in higher education. 





The cybersecurity 
workforce shortfall 
remains a critical 
vulnerability for 
companies and nations. 
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Diagnosing the Problem: The Cybersecurity 
Workforce Deficit 


Demand for cybersecurity professionals is outpacing the 
supply of qualified workers in all countries surveyed. This 
conclusion is supported by market studies, our survey 
results, and the significant salary premiums commanded 
by cybersecurity professionals. 


Estimates of the global cybersecurity workforce shortfall 
range from one to two million positions unfilled by 2019.1 
In 2015, about 209,000 cybersecurity jobs went unfilled 
in the United States alone.? 


In our survey of information technology (IT) 
professionals in Australia, France, Germany Israel, Japan, 
Mexico, the UK, and the US, 82% of respondents agree 
that there is a large shortage in their own organization 
as well as their country as a whole. 


This shortage is felt most acutely in Mexico and 
Australia. Eighty-eight percent of respondents in both 
countries believe there is a shortage of cybersecurity 
skills. Highly technical skills are most in demand in all 
eight countries surveyed. Intrusion detection, secure 
software development, and attack mitigation were most 
frequently in the top three skills in demand. These skills 
were in greater demand than softer skills, such as the 
ability to collaborate, manage a team, or communicate 
effectively. Fifty-three percent of respondents say that 
the talent shortage in cybersecurity is somewhat or far 
worse than in other IT professions. 
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Percentage of respondents who say there is a shortage 
of cybersecurity professionals in their country 
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Figure 1. Cybersecurity workforce shortages by country and skillset. 


Compared to the general IT workforce, the shortage 
in cybersecurity professionals is... 


53% 29% 17% 1% 
Somewhat to Same as other Somewhat to Don't know 
far greater workforce skill far less 
shortages 


Figure 2. Cybersecurity workforce shortage relative to IT workforce 
shortage. 
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The cybersecurity shortage is also observed in second- 
order effects, namely in higher compensation for 
cybersecurity positions. Scarcity drives up the value 

of cybersecurity personnel. The median cybersecurity 
salary reported in surveyed countries is at least 2.7 
times the average wage, according to the OECD. 
Cybersecurity jobs in the United States pay an average of 
$6,500 more than other IT professions, a 9% premium.3 
The premium for technical skills appears to be greater 
than management skills. In the United States, the 
highest paying technical security job in is a lead software 
engineer at $233,333 a year; which is around $8,000 
more annually than the salary of a chief information 
security officer (CISO), a role with greater managerial 
responsibilities.4 


Salary premium for cybersecurity professionals 
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Figure 3. Cybersecurity salary premium (annual average salary from 
survey compared to OECD average annual wages).® 
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There are no signs of the cybersecurity workforce 
shortage abating in the near term. Respondents 
estimate an average of 15% of cybersecurity positions in 
their company could go unfilled by 2020. Those in Japan 
and Mexico are most concerned about not meeting 
future cybersecurity demand. 


By 2020, approximately what percentage of cybersecurity jobs 
in your company/industry do you think will go unfilled? 
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Figure 4. Future cybersecurity workforce gap. 


The Changing 
Role of the CISO 


As corporate board 

members worry more 

about cybersecurity, the 

role of the chief information 
security officer is changing. 
Ninety-seven percent of 
survey respondents say 

their organization's board 

of directors now views 
cybersecurity as important. 
The elevated importance of 
cybersecurity is a stark shift, 
as five years ago cybersecurity 
was not even in the top 10 risks 
prioritized by boards according 
to Lloyds’ annual risk survey.5 
More than 76% say that their 
board considers cybersecurity 
skills very or extremely 
important. This elevated role 
for cybersecurity sometimes 
elevates the status of the CISO, 
who in many organizations 
now reports directly to the 
board rather than the chief 
information officer (CIO). A 
study by IDC predicts that by 
2018, 75% of CISOs and chief 
security officers (CSOs) will 
report directly to the CEO or 
board of directors.’ 
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The continued skills shortage creates tangible risks to 
organizations, and companies say they have already 
incurred damages as a result of this workforce gap. 
Respondents Say their organizations, unable to maintain 
adequate cybersecurity staff, have been targeted by 
hackers who suspect a shortage of cybersecurity skills 
at their organization. One in four respondents say their 
organizations have lost proprietary data as a result of 
their cybersecurity skills gap. 





Has a shortage of cybersecurity skills had a negative effect 
on your organization? 


We can't maintain an adequate staff 
of cybersecurity professionals 


We are a target for hackers as 
they know our cybersecurity is 
not strong enough 


|| We've lost proprietary data through 
cyberattacks 


|| We've suffered reputational damage 


o| We've had a reduced ability to create 
new IP for products and services 





Figure 5. Impact of cybersecurity workforce shortage. 


Many students in higher level technical degree programs 
in the United States are from outside the country. As 
many as 68% of US computer science students pursuing 
master's degrees come from outside the United States." 
While the proportion of foreign students in higher 
education is largest in the US, other countries could also 
benefit from this pool of foreign talent through flexible 
immigration and visa policies. 
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Diversify the Cybersecurity Workforce 


Expanding the cybersecurity workforce could be facilitated by pursuing opportunities 
to create a larger, more diverse talent pool. 


In North America, a dearth of women and minorities in the cybersecurity industry 
mirrors trends in academia, according to a survey of academic institutions that 
provide degrees in computer science and engineering or information security.? In this 
study, only 2.6% of doctoral graduates of these programs in 2014 were non-Asian 
minorities, a decrease from 3% in 2013. Women comprise only 17 to 18% of doctoral 
graduates in computer science, engineering, and information security. This mirrors 
industry trends, as an (ISC)? study of 14,000 professionals in cybersecurity revealed 
only 11% were women 1° Anecdotal evidence from our interviews suggests that while 
relevant technical programs are slowly adding more women, black and Hispanic 
students remain in short supply. 





Four Dimensions of Analysis 


We studied four dimensions of the problem that affect 
the cybersecurity workforce pipeline in Australia, France, 
Germany, Israel, Japan, Mexico, the UK, and the US. 


Cybersecurity Spending 

The size and growth of cybersecurity spending 
correlates with the size and growth of the cybersecurity 
workforce and reveals how countries or companies 
prioritize cybersecurity. The United States government 
and the financial services industry, as big cybersecurity 
spenders, are uniquely positioned to pioneer 
recruitment and development practices for others to 
emulate. Similarly, the US and Israel, as large exporters 
of cybersecurity products and services, have established 
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expertise and thus have a head start on improving 
their workforce. 


Market reports estimate total annual global cybersecurity 
spending ranged from $75 billion to more than $100 
billion in 2015 and project annual spending increases 
between 7.4% and 16% over the next five years.” 


The banking industry has been particularly active 

in increasing cybersecurity spending, reflecting its 
prominence as a target—banks are three times more 
likely to be targeted than non-financial institutions."3 
Five banks alone spend more than $1.5 billion on 
cybersecurity."4 According to Bank of America’s CEO, 
cybersecurity is the company's only business unit with 
no budget limit.15 Finance consumes more cybersecurity 
products and services than any other private sector 
industry, and thus could help drive best practices for 
training and hiring cybersecurity talent. Unsurprisingly, 
countries and industry sectors that spend more 

on cybersecurity are better placed to deal with the 
workforce problem. 
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Global cybersecurity spending 
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Figure 6. Global cybersecurity spending.’® 
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Education and Training 

Traditional academic institutions are the primary source 
of initial education and training for cybersecurity 
professionals, but non-traditional methods may be a 
better way to acquire and grow cybersecurity skills. 
Incorporating practical learning into academic programs 
would better prepare cybersecurity professionals for the 
real world. 


To assess available educational capital, we created a 
ranking using the following metrics: overall spending on 
higher education, Science, Technology, Engineering and 
Mathematics (STEM) programs, technical cybersecurity 
curricula in higher education, performance in 
internationally recognized capture the flag exercises, and 
our survey data. 


The US and UK rank highest in current investment 

in cybersecurity education and are best situated to 
institute educational reforms. Mexico, France, and Japan 
rank lowest in cybersecurity education, with low levels 
of government investment in education and a lack of 
STEM graduates. Countries with higher scores are better 
situated to institute reforms to improve the quality of 
cybersecurity education and training. 
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Global education rankings 
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Figure 7. Education ranking by country.’” 
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Around four in 10 respondents listed a bachelor's degree 
as the minimum credential for entry-level positions in 
their organizations, with significant variation among 
countries. Of the countries studied, France and Germany 
were more likely to require a master's degree; 38% and 
32% of respondents, respectively, in these countries cite a 
master's degree as their minimum credential. 


A Bachelor's degree is the minimum credential 
for entry-level positions 
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Figure 8. Minimum cybersecurity credentials. 


While a bachelor's degree is typically considered 
necessary to enter this field, cybersecurity-specific 
offerings in higher education are rare. Cybersecurity 

as an academic discipline or program of study is often 
inaccessible to students. Only 7% of top universities in 
the countries we researched offer an undergraduate 
major or minors in cybersecurity. As for graduate work, 
about a third of top universities offer a master’s degree 
in some cybersecurity field.18 
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Technical cybersecurity programs at universities 
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Figure 9. Cybersecurity education at top universities. 


Despite our respondents’ typical insistence on 

a bachelor’s degree as a baseline credential for 
cybersecurity work, only 23% of respondents say 
education programs are preparing students to enter 
the industry. A bachelor's degree in a technical field 

is ranked third by survey respondents among most 
effective ways to acquire cybersecurity skills, behind 
hands-on experience and professional certifications. 
This contradiction indicates that a degree is more of 

a signal of general competence than an indicator of 
directly relevant cybersecurity skills. In the UK and Japan 
in particular, respondents are more likely to downgrade 
the value of traditional education programs for attaining 
cybersecurity skills. More than three-fourths of survey 
respondents cited professional certifications as an 
effective way to demonstrate skills, with respondents 

in the UK, Australia, Mexico, and Israel finding these 
credentials most useful. 
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How well do you think education programs (universities or vocational) 
are preparing cybersecurity professionals for the industry? 
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Figure 10. Education programs and skill development. 
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g the top five most effective ways 


Hacking the Cybersecurity Workforce 


Gaming can identify talent and cultivate cybersecurity skills. Computer games provide 
iterative learning examples and ways to develop skills at early levels. Some examples of 
cybersecurity games for younger audiences include MySecureCyberspace, a game for 
fourth and fifth graders by Carnegie Mellon; CyberClEGE; and Control-AltHacks.’9 The US 
Department of Defense is also stepping into this field and has produced CyberProtect, 

a game focused on resource management and countermeasure decision-making.?° 
Cybersecurity storylines are increasingly a feature in more mainstream games. Popular 
games such as Watch Dogs, Deus Ex, Bioshock, and Fallout include some hacking element.?" 
Incorporating cybersecurity plot lines and features in gaming can help more people 
appreciate computer networks and understand their vulnerabilities. 


Do national hacking competitions (e.g. capture the flag competitions) 
help develop cybersecurity skills at your company? 
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Figure 11. Role of hacking competitions. 
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Employer Dynamics 

Employers need more effective strategies and incentives 
to recruit and retain top cybersecurity talent. While 
salary is, unsurprisingly, the number one motivating 
factor in recruitment, the second, third, and fourth are 
opportunities for training, reputation of the employer's 
IT department, and potential for advancement. For 
retention, the reputation for innovativeness of the 
company replaces the reputation of the IT department 
as the fourth most important factor. 


What factors are important when recruiting and retaining 
cybersecurity professionals? 
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Figure 12. Recruiting and retaining cybersecurity professionals. 
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Companies need to be strategic in deciding what skills will 
be needed to combat future cybersecurity threats and 
how new technologies can offset workforce shortages. 
Recognizing that many new professionals lack necessary 
skills and that even proficient workers will require 
continuous skill development, employers are increasingly 
providing on-the-job training. A failure to support their 
workforce through training can lead people to leave for 
another job. Almost half our survey respondents cite lack 
of training or sponsorship for qualifications as common 
reasons for talent departing their company. Some 
cybersecurity qualifications and certifications require 
training programs and tests that are often cost prohibitive 
for employees to fund themselves. 








In addition to on-the-job training, employers are looking 
to invest in technology to improve cybersecurity. 

About nine out of 10 respondents say technological 
advancements in cybersecurity could compensate for a 
skills shortage. Given the long timeline to develop and 
train a robust workforce, technological improvements 
could help compensate for the cybersecurity skills gap 
in organizations. 


More than 60% of survey respondents work at 
organizations that outsource at least some cybersecurity 
work. Organizations in Israel and Australia are most 
likely to outsource cybersecurity, while those in the US 
and the UK are most likely to keep these capabilities 

in house. The primary capabilities outsourced are 

risk assessment and mitigation, network monitoring 

and access management, and repair of compromised 
systems. These functions, in particular network 
monitoring and risk mitigation, are moving towards 
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automation to facilitate a faster response to malicious 
activities and more efficient network defense.?3 


Organizations say they will likely expand their outsourcing 
of cybersecurity functions. About one in five respondents 
believe that cybersecurity solutions will be able to meet 
all their organization's needs in five years. In addition 

to cost and efficiencies, 41% of respondents believe 
compatibility with pre-existing systems will be important 
when adopting new technologies. Additional factors that 
organizations use to assess the value of cybersecurity 
innovations include acquisition and implementation 
costs, management efficiency, and effectiveness at 
reducing cyberattacks. Efforts to enhance cybersecurity 
capabilities with technological solutions will require 
organizations to hire and train a workforce that can 
deploy and run these technologies efficiently. 


Percentage of respondents whose company outsources 
cybersecurity services 
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Figure 13. Outsourcing cybersecurity functions. 
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Imprecise job descriptions and lack of metrics 

to assess skills complicate the hiring process for 
cybersecurity jobs. There is often a mismatch between 
job descriptions and actual duties, which creates 
unhappiness in the workforce.*4 Efforts to introduce 
predictability and transparency in the cybersecurity 
job market include the NIST Cybersecurity Workforce 
Framework in the United States,25 but in most countries 
job descriptions are not yet standardized across the 
public and private sectors. 


Government Policies 

Many countries have prioritized cybersecurity and are 
enacting legislation and national strategies, establishing 
coordinating bodies and cybersecurity agencies, and, 

in some cases, funding programs to cultivate a larger 
cybersecurity workforce. The cybersecurity talent gap 
has become a prominent political issue as heads of 
state in the US, UK, Israel, and Australia have all called 
for increased support for the cybersecurity workforce 
in the past year. Most countries we studied also have 
legislation specific to enhancing cybersecurity education. 


Despite increased political engagement on cybersecurity 
workforce issues, however, more must be done to build 
the cybersecurity talent pool. Slightly more than three 
quarters of survey respondents say their governments 
are not investing enough in building cybersecurity talent, 
and the same percentage said the laws and regulations 
for cybersecurity in their country are insufficient. 
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To what extent do you agree with the following statement: 
“My government is not investing enough in cybersecurity skills” 
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Figure 14. Government investment in cybersecurity. 
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Are cybersecurity laws and regulations effective 
in your country? 
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Figure 15. Cybersecurity laws and regulations. 
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How strict are laws and regulations on cybersecurity 
in your country? 
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Figure 16. Cybersecurity laws and regulations. 
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Recommendations 


Closing the gap in cybersecurity skills requires countries 
to develop critical technical skills, cultivate a larger and 
more diverse workforce, and reform education and 
training programs to include more hands-on learning. 
Our study revealed that Australia, France, Germany 
Israel, Japan, Mexico, UK, and the US face similar 
roadblocks to closing the skills gap, but each country 
also has distinct challenges. In light of our findings, we 
have the following recommendations. 





Redefine Minimum Credentials for Entry-Level 
Cybersecurity Jobs: Accept Non-Traditional 
Sources of Education 

Simply put, most educational institutions do not prepare 
students for a career in cybersecurity. Our research 
suggests that cybersecurity education should start at an 
early age, target a more diverse range of students, and 
provide hands-on experiences and training. 


Most institutions of higher education do not offer 
cybersecurity concentrations and do not guide 
graduates to cybersecurity professions. Japan and 
Germany, in particular, have the fewest cybersecurity 
programs at the university level. 


Our survey data suggests that employers should relax 
degree requirements for entry-level cybersecurity 
positions and place greater stock in professional 
certifications and hands-on experience for evidence of 
suitable skills. Universities should seek greater relevance 
in this field by adding cybersecurity courses and working 
with industry and government to tailor curriculum. 
Programs should focus on hands-on learning in the form 
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of labs and classroom exercises to provide people with 
robust and practical skills in this field. 


Early exposure to cybersecurity careers is crucial for 
developing interest in the field. Some countries have 
implemented programs targeting students at the high 
school level that could provide a model for others to 
emulate. In Israel, the Magshimim (“accomplishers”) 
program develops cybersecurity skills and identifies 
talented high school students for recruitment by the 
Israel military.26 Programs like these not only raise 
awareness of potential careers in cybersecurity, 

but identify promising recruits for cybersecurity 
professions. This is potential partnership opportunity for 
governments and the private sector: efforts to leverage 
private sector talent in training teachers, enhancing 
curricula, and offering internships and training 
opportunities to talented high school and college 
students would be mutually beneficial. 





Diversify the Cybersecurity Field 

Increasing the diversity of the cybersecurity workforce 
will also expand the talent pool. According to a number 
of studies and interviews with employers and educators, 
women and minorities are underrepresented in this 
field. Workforce enhancement efforts should aim to 
create a broader pool of cybersecurity talent. 








any people with advanced degrees in fields relevant 
to cybersecurity, including computer and information 
science, have international backgrounds. Rigid 
immigration policies shrink the pool of high-skilled 
workers critical to the cybersecurity workforce. The US 
stands to benefit the most from this recommendation, 
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as it has more than double the university students in 
STEM programs compared to any other country we 
studied. Many of these students are foreign nationals. 
The cybersecurity workforce can be rapidly expanded 
in the United States and other countries with similar 
immigration conditions by increasing the number of 
work visas. 


According to our expert interviews, another barrier 
to expanding the cybersecurity workforce is a stigma 
that lingers with job candidates who have a history of 
hacking.” Employers should develop a more flexible 
attitude towards hiring people who have hacked. 


Provide More Opportunities for 

External Training 

Continued learning is vital to retaining cybersecurity 
talent. While employers may be wary of investing in 
expensive training programs that make employees more 
attractive in the talent marketplace, our survey shows 
the absence of such training is often a significant factor 
in people's decisions to seek alternative employment. 
Governments should consider creative ways to partner 
with the private sector to enhance training opportunities 
for students. Examples of such programs include private 
sector internships and co-ops for university students 
studying STEM subjects. Expanding the number of STEM 
scholarships should also be considered. 





Evolve Skills for Automation 

Employers should evolve skills in response to anticipated 
needs. Our survey found that organizations are looking 
to automate cybersecurity functions to offset the skills 
shortage, as cybersecurity professionals will seek to 
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improve their security environments by incorporating 
automation. This means the cybersecurity workforce 
will have to adapt its skills to increasingly automated 
environments, from “human in the loop” to “Auman on 
the loop” processes, reducing the burden on existing 
cybersecurity staff. While automation will never fully 
replace human judgment, it does create efficiencies, 
which allow cybersecurity professionals to focus their 
time and talent on the more advanced threats that 
require human intervention. 





Collect Data and Develop Better Metrics 

A dearth of data hampers our ability to develop targeted 
cybersecurity policies and strategies and to measure 
effectiveness. More national data on the cybersecurity 
labor market and standardized job functions will help 
drive more tailored solutions. Industry leaders, policy 
makers, and educators should also work to develop a 
common taxonomy of skills. There should be clearly 
defined and commonly understood lists of high-value 
cybersecurity skills applicable across industry sectors. 


Conclusion 


A secure cybersecurity environment requires a 

robust workforce, yet currently there are not enough 
cybersecurity professionals to adequately defend 
computer networks. Countries and companies have to 
act quickly to fix this problem by facilitating the entry of 
more people into this profession through improvements 
in education, workforce diversity, training opportunities, 
security technology, and data collection. These 
concurrent efforts are vital to defeating cybersecurity 
threats and creating a more secure network environment. 
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Appendix 
Which of the following skill sets are most scarce? 
; ; United United 
Mexico Australia Japan Germany Israel France - 
States Kingdom 

Intrusion detection 79% 87% 68% 79% 74% 70% 73% 76% 
Software development 76% 81% 68% 72% 77% 56% 78% 70% 
Attack mitigation 69% 76% 75% 71% 74% 80% 65% 73% 
Ability to communicate 53% 68% 59% 78% 70% 54% 68% 67% 
effectively 
Fluency in programming 65% 67% 60% 59% 64% 46% 67% 52% 
languages 
Ability to manage a team 52% 67% 48% 63% 55% 66% 67% 53% 
Ability to collaborate with 59% 44% 47% 57% 56% 78% 52% 56% 
other team members 

Figure 17. Cybersecurity workforce shortages by country and skillset. 

What cybersecurity does your organization outsource? 

; : United United 
Australia Israel Mexico France Germany Japan : 
States Kingdom 

Protection of networks: Risk 68% 80% 67% 49% 65% 57% 59% 52% 
assessment and mitigation 
Detection of threats: Network 77% 88% 74% 60% 68% 72% 67% 71% 
monitoring, access management 
Correction of threats: Repair of 41% 68% 44% 39% 45% 57% 40% 23% 


compromised systems 





Figure 18. Outsourcing cybersecurity functions. 
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*Methodology 

McAfee commissioned independent technology market research specialist Vanson Bourne to undertake the research upon which 
this report is based. A total of 775 IT decision makers who are involved in cybersecurity within their organization were interviewed 

in May 2016 across the US (200), the UK (100), France (100), Germany (100), Australia (75), Japan (75), Mexico (75) and Israel (50). The 
respondents were from organizations with at least 500 employees, and came from within both public and private sectors. Interviews 
were conducted online using a rigorous multi-level screening process to ensure that only suitable candidates had the opportunity to 
Participate. 


Vanson Bourne is an independent specialist in market research for the technology sector. Their reputation for robust and credible 
research-based analysis is founded upon rigorous research principles and their ability to seek the opinions of senior decision makers 
across technical and business functions, in all business sectors and all major markets. 
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